Distro with FreeRadius 1.1

2006-07-28 Thread Graham Beneke 

Hi All

I'm trying to setup a FreeRadius 1.1.x - MySQL - phpMyPrepaid system.
I'm looking for a distro that can get me there with the least path of 
resistance...


I've currently got a dedicated box running FC4 and FreeRadius 0.9.x and 
I've been fumbling around for 2 weeks now and not getting anywhere.
I found an RPM for ver 1.1.x and tried to install it but the system was 
unable to resolve a whole stack of dependencies.
Tried to install from source and I got attacked by pages and pages of 
warnings and errors that i don't have a clue how to resolve...


Thanks
--


 Graham Beneke
 Apolix Internet Services

E-Mail: [EMAIL PROTECTED] 
WEB: www.apolix.co.za 
Cell: 082-432-1873 
Skype: grbeneke 
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

authorize with files + ldap problem

2006-07-28 Thread Wipat Srutiprom 

On freeradius-1.0.4-1.FC4.1  come with fedora core 4.
I want to authorize either UNIX user (/etc/passwd/) or LDAP user.

/etc/raddb/users file is:
DEFAULT Auth-Type = System
Fall-Through = 1

I success with both LDAP user and UNIX user with /etc/raddb/radiusd.conf
is: authorize {
ldap
files
}

Then I change the order in /etc/raddb/radiusd.conf to:
authorize {
files
ldap
}

only UNIX user is be accept, but LDAP user is be reject.

My sample  radtest:
radtest myuser mypassword localhost 0 testing123

My sample radius-x output:
rad_recv: Access-Request packet from host 127.0.0.1:32775, id=165, length=56
User-Name = "myuser"
User-Password = "mypassword"
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for demo
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user demo authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
rad_recv: Access-Request packet from host 127.0.0.1:32775, id=165,
length=56 Sending Access-Reject of id 165 to 127.0.0.1:32775


I wondor that after files modules failed, why not try LDAP modules? Do I
need more config?

Thanks for all help.

--Wipat





-
This email was sent using SquirrelMail.
https://front.psu.ac.th/

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Problems on FC4

2006-07-28 Thread Vida Luz Arista 
Hi All
 
I have installed rpm freeradius-1.0.4-1.FC4.1 on Fedora core 4, however I have the following problems, whe I use radtest for test my server
 
 radtest kiko "kako99" localhost 1812 testing123Sending Access-Request of id 215 to 127.0.0.1:1812    User-Name = "vlal"    User-Password = "vita99"
    NAS-IP-Address = smtp.cablenet.com.ni    NAS-Port = 1812rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=215, length=20
 
All my user are of my system (/etc/passwd and /etc/shadow), I need to enable radius for dialuo users.
 
I am testing the radius server with
 
[EMAIL PROTECTED] raddb]# radiusd  -X -AStarting - reading configuration files ...reread_config:  reading radiusd.confConfig:   including file: /etc/raddb/proxy.confConfig:   including file: /etc/raddb/clients.conf
Config:   including file: /etc/raddb/snmp.confConfig:   including file: /etc/raddb/sql.conf main: prefix = "/usr" main: localstatedir = "/var" main: logdir = "/var/log/radius"
 main: libdir = "/usr/lib" main: radacctdir = "/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024
 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no
 main: log_auth_goodpass = no main: pidfile = "/var/run/radiusd/radiusd.pid" main: user = "radiusd" main: group = "radiusd" main: usercollide = no main: lower_user = "no"
 main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5
 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200
 security: reject_delay = 1 security: status_server = no main: debug_level = 0read_config_files:  reading dictionaryread_config_files:  reading naslistUsing deprecated naslist file.  Support for this will go away soon.
read_config_files:  reading clientsread_config_files:  reading realmsradiusd:  entering modules setupModule: Library search path is /usr/libModule: Loaded System  unix: cache = no unix: passwd = "/etc/passwd"
 unix: shadow = "(null)" unix: group = "/etc/group" unix: radwtmp = "/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600Module: Instantiated unix (unix) 
Module: Loaded preprocess  preprocess: huntgroups = "/etc/raddb/huntgroups" preprocess: hints = "/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23
 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = noModule: Instantiated preprocess (preprocess) Module: Loaded realm  realm: format = "suffix"
 realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = noModule: Instantiated realm (suffix) Module: Loaded files  files: usersfile = "/etc/raddb/users" files: acctusersfile = "/etc/raddb/acct_users"
 files: preproxy_usersfile = "/etc/raddb/preproxy_users" files: compat = "no"Module: Instantiated files (files) Module: Loaded detail  detail: detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail"
 detail: detailperm = 384 detail: dirperm = 493 detail: locking = noModule: Instantiated detail (detail) Module: Loaded radutmp  radutmp: filename = "/var/log/radius/radutmp" radutmp: username = "%{User-Name}"
 radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yesModule: Instantiated radutmp (radutmp) Listening on authentication *:1812Listening on accounting *:1813
Listening on proxy *:1814Ready to process requests. 
I need you suggestions.
 
Regards.
 
 
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: assigning vlan based on LDAP attribute

2006-07-28 Thread Thibault Le Meur 
One way to do that is to use LDAP groups. If your users are in 
dedicated LDAP groups, then a rule like the following in your "users" 
file will do the trick:

DEFAULT Huntgroup-Name == myAP, Ldap-Group == Engineering
   User-Name=`%{User-Name}`,
   radiusTunnelMediumType: IEEE-802
   radiusTunnelType: VLAN
   radiusTunnelPrivateGroupId: 2
   Fall-Through = no


Sorry... my mistake, use the following rule instead:

DEFAULT Huntgroup-Name == myAP, Ldap-Group == Engineering
  User-Name=`%{User-Name}`,
  Tunnel-Medium-Type=IEEE-802
  Tunnel-Private-Group-Id=2
  Tunnel-Type=VLAN
  Fall-Through = no

Thibault

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: assigning vlan based on LDAP attribute

2006-07-28 Thread Thibault Le Meur 

I'm trying to add a user to a vlan based on an ldap attribute. I've checked
out: http://vuksan.com/linux/dot1x/802-1x-LDAP.html annd saw the following
would have to be added to the user's ldap record:
radiusTunnelMediumType: IEEE-802
radiusTunnelType: VLAN
radiusTunnelPrivateGroupId: 2


Yes that's usually the syntax, but it might depend on you switch/AP, so 
check the docs of your device.



If I don't want to actually insert that into the LDAP database, is it
possible for Radius to figure out which vlan to assign to based on some
other already existing LDAP attribute?


One way to do that is to use LDAP groups. If your users are in 
dedicated LDAP groups, then a rule like the following in your "users" 
file will do the trick:

DEFAULT Huntgroup-Name == myAP, Ldap-Group == Engineering
   User-Name=`%{User-Name}`,
   radiusTunnelMediumType: IEEE-802
   radiusTunnelType: VLAN
   radiusTunnelPrivateGroupId: 2
   Fall-Through = no



For example, if I want to assign
users whose userDepartment attribute equals ITS into vlan 3 and those who's
userDepartment attribute equals HR into vlan 4?  If so, could you give me a
link to how to do that, or explain briefly?


Ldap-Groups can be "true ldap groups" such as groupOfNames entries. 
However, you may also want to map LDAP-Groups to the value of an 
attribute inside the user's entry.


See the groupmembership_attribute in the ldap configuration section
#   groupmembership_attribute: The attribute in the user entry that states
#   the group the user belongs to.

Refer to the docs/rlm_ldap for more information

HTH,
Thibault

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

assigning vlan based on LDAP attribute

2006-07-28 Thread Matt Ashfield 
Hi All,

I'm trying to add a user to a vlan based on an ldap attribute. I've checked
out: http://vuksan.com/linux/dot1x/802-1x-LDAP.html annd saw the following
would have to be added to the user's ldap record:
radiusTunnelMediumType: IEEE-802
radiusTunnelType: VLAN
radiusTunnelPrivateGroupId: 2

If I don't want to actually insert that into the LDAP database, is it
possible for Radius to figure out which vlan to assign to based on some
other already existing LDAP attribute? For example, if I want to assign
users whose userDepartment attribute equals ITS into vlan 3 and those who's
userDepartment attribute equals HR into vlan 4?  If so, could you give me a
link to how to do that, or explain briefly?

Thanks for your time,

Matt
[EMAIL PROTECTED]


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: config: variable not available...

2006-07-28 Thread Alan DeKok 
"Duane Cox" <[EMAIL PROTECTED]> wrote:
> Alan discusses it here...
> http://lists.cistron.nl/pipermail/freeradius-devel/2005-March/008105.html
> 
> states it is in CVS back in MARCH 2005 and I am running v1.1.2

  It's not in 1.1.2, sorry.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: ippool error

2006-07-28 Thread Giuseppina Venezia 
On 7/28/06, Phil Mayers <[EMAIL PROTECTED]> wrote:
If the ippool module is saying Pool-Name is not found, then theseentries must not be matching. Run FreeRadius under debugging with the -Xargument, and watch for the bit where it processes the "authorize"
section - see what entries are matched in the "files" module.The authorize section works well:.Fri Jul 28 17:51:49 2006 : Debug:   modsingle[authorize]: returned from ldap (rlm_ldap) for request 0
Fri Jul 28 17:51:49 2006 : Debug:   modcall[authorize]: module "ldap" returns ok for request 0Fri Jul 28 17:51:49 2006 : Debug:   modsingle[authorize]: calling checkval (rlm_checkval) for request 0Fri Jul 28 17:51:49 2006 : Debug: rlm_checkval: Item Name: Calling-Station-Id, Value: 00-02-D7-BF-A0-98
Fri Jul 28 17:51:49 2006 : Debug: rlm_checkval: Value Name: Calling-Station-Id, Value: 00-02-D7-BF-A0-98Fri Jul 28 17:51:49 2006 : Debug:   modsingle[authorize]: returned from checkval (rlm_checkval) for request 0
Fri Jul 28 17:51:49 2006 : Debug:   modcall[authorize]: module "checkval" returns ok for request 0Fri Jul 28 17:51:49 2006 : Debug: modcall: leaving group authorize (returns ok) for request 0
The authentication also works well, i think that i have some problems in my config.Thanks.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

config: variable not available...

2006-07-28 Thread Duane Cox 
I am trying to make use of a variable that should be stored
as: %{config:client[%{Packet-Src-IP-Address}].shortname}

Alan discusses it here...
http://lists.cistron.nl/pipermail/freeradius-devel/2005-March/008105.html

states it is in CVS back in MARCH 2005 and I am running v1.1.2

and my client is listed in clients.conf by IP address (the same IP address as 
the source packet)

postauth_query = "update wireless_data set tower = 
'%{config:client[%{Packet-Src-IP-Address}].shortname}' where serial = .


rlm_sql (waverider): Processing sql_postauth
radius_xlat:  '60:07:93'
rlm_sql (waverider): sql_set_user escaped user --> '60:07:93'
radius_xlat: Running registered xlat function of module config for string 
'client[%{Packet-Src-IP-Address}].shortname'
config: No such section client[%{Packet-Src-IP-Address}] in format string 
client[%{Packet-Src-IP-Address}].shortname
radius_xlat:  'update wireless_data set tower = '' where serial = 'E' + 
substring('60:07:93',2,1) + substring('60:07:93',4,2) +
substring('60:07:93',7,2)'

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: need help setting/using attribute, did something wrong...

2006-07-28 Thread Phil Mayers 

Duane Cox wrote:


DEFAULT NAS-IP-Address == "192.168.0.251", NAS-Identifier := "LAB_CCU"
Fall-Through = Yes

DEFAULT User-Name =~ "^6[0-9a-f]:[0-9a-f]\{2}:[0-9a-f]\{2}$", Post-Auth-Type
:= "waverider"


   Attribute := Value
Always  matches as a check item, and replaces in the 
configuration items any attribute of the same name.  If no attribute of 
that name appears in the request, then this attribute is added.


Thus, the NAS-Identifier variable you're setting is in the check items.

Maybe try:

update wireless_data set tower = '%{check:NAS-Identifier}'

...and so forth. See doc/variables.txt

Note that setting NAS-Identifier in the check items does not make too 
much sense (unless you are using e.g. rlm_checkval). The NAS is expected 
to send it. A huntgroup would make more sense, or you could add 
NAS-Identifier to the request with e.g. rlm_passwd mapping 
NAS-IP-Address to NAS-Identifier.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: ippool error

2006-07-28 Thread Phil Mayers 

Giuseppina Venezia wrote:


users

DEFAULT Service-Type == Framed-User, Huntgroup-Name == "professori", 
User-Profile:="employeeType=professor", Pool-Name := "professori"

Fall-Through = Yes


If the ippool module is saying Pool-Name is not found, then these 
entries must not be matching. Run FreeRadius under debugging with the -X 
argument, and watch for the bit where it processes the "authorize" 
section - see what entries are matched in the "files" module.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

need help setting/using attribute

2006-07-28 Thread Duane Cox 
Here are parts of my config as well as parts from debug, and I must be doing
something wrong or missed something.
I am trying to set the NAS-Identifier, since it is not sent in the
access-request packet, and use this later in the post-auth section.
As you can see, later in the post-auth section, the attribute is NULL.


rad_recv: Access-Request packet from host 192.168.0.251:1024, id=61,
length=60
User-Name = "60:07:93"
NAS-IP-Address = 192.168.0.251
NAS-Port = 1
User-Password = "buywavc"

users: Matched entry DEFAULT at line 18
users: Matched entry DEFAULT at line 21



DEFAULT NAS-IP-Address == "192.168.0.251", NAS-Identifier := "LAB_CCU"
Fall-Through = Yes

DEFAULT User-Name =~ "^6[0-9a-f]:[0-9a-f]\{2}:[0-9a-f]\{2}$", Post-Auth-Type := 
"waverider"



 sql: postauth_query = "update wireless_data set tower = '%{NAS-Identifier}' 
where serial = 'E' + substring('%{User-Name}',2,1) +
substring('%{User-Name}',4,2) + substring('%{User-Name}',7,2)"



Login OK: [60:07:93] (from client LAB_CCU port 1)
  Found Post-Auth-Type waverider
  Processing the post-auth section of radiusd.conf
modcall: entering group waverider for request 0
rlm_sql (waverider): Processing sql_postauth
radius_xlat:  '60:07:93'
rlm_sql (waverider): sql_set_user escaped user --> '60:07:93'
radius_xlat:  'update wireless_data set tower = '' where serial = 'E' + 
substring('60:07:93',2,1) + substring('60:07:93',4,2) +
substring('60:07:93',7,2)'
rlm_sql (waverider) in sql_postauth: query is update wireless_data set tower = 
'' where serial = 'E' + substring('60:07:93',2,1) +
substring('60:07:93',4,2) + substring('60:07:93',7,2)
rlm_sql (waverider): Reserving sql socket id: 9
rlm_sql (waverider): Released sql socket id: 9
  modcall[post-auth]: module "waverider" returns ok for request 0
modcall: leaving group waverider (returns ok) for request 0
Sending Access-Accept of id 61 to 192.168.0.251 port 1024
Waverider-Grade-Of-Service = silver
Waverider-Priority-Enabled = disabled


Thanks,
Duane Cox

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

rlm_dbm with empty check and reply items

2006-07-28 Thread Gabriel L. Somlo 
Alan & all,

I want to use rlm_dbm for authorization with no check or reply items.
A user is authorized if he is listed in the dbm database, and not
authorized if not present:

modules {
...
dbm {
usersfile = ${confdir}/users.dbm
}
...
}
...
authorize {
...
dbm {
notfound = reject
}
}

So, what I need is a dbm file which has "empty" content associated with
each username key. "Empty" actually means a "\n\n" string (first '\n'
for no check items, second one for no reply items).

I can create such a database by calling dbm routines from my own C code,
and it works fine with the radiusd.conf excerpt above.

HOWEVER, I would like to use the rlm_dbm_parser binary included with the
freeradius package. The trouble is, this code checks for the length of
each content record before inserting into the dbm file, and refuses to
do so unless the record is more than 3 characters long (rlm_dbm_parser.c,
line 158, inside function 'static int storecontent' as per
freeradius-snapshot-20060728):

static int storecontent (const char * username) {

 datum d,k;
 int res;

if ( pdb == NULL || concntr < 3 ) return 1;
/*^^*/

DOUT2("store:\n%s\ncontent:\n%s",username,content);

d.dptr = content;

...

Is there a known good reason why this code wants length >=3, or why it
prevents check items and reply items from being empty at the same time ?

If yes, inquiring minds want to know :)

If not, please apply the attached patch, which modifies the check from < 3
to < 2, allowing "empty" keys to be stored in the dbm.

Thanks much,
Gabriel


diff -NarU5 freeradius.orig/src/modules/rlm_dbm/rlm_dbm_parser.c 
freeradius/src/modules/rlm_dbm/rlm_dbm_parser.c
--- freeradius.orig/src/modules/rlm_dbm/rlm_dbm_parser.c2004-02-26 
14:04:28.0 -0500
+++ freeradius/src/modules/rlm_dbm/rlm_dbm_parser.c 2006-07-27 
15:49:27.0 -0400
@@ -153,11 +153,11 @@
 static int storecontent (const char * username) {
 
 datum d,k;
 int res;
 
-   if ( pdb == NULL || concntr < 3 ) return 1;
+   if ( pdb == NULL || concntr < 2 ) return 1;
 
DOUT2("store:\n%s\ncontent:\n%s",username,content);
 
d.dptr = content;
d.dsize = concntr + 1;
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

need help setting/using attribute, did something wrong...

2006-07-28 Thread Duane Cox 
Here are parts of my config as well as parts from debug, and I must be doing
something wrong or missed something.
I am trying to set the NAS-Identifier, since it is not sent in the
access-request packet, and use this later in the post-auth section.
As you can see, later in the post-auth section, the attribute is NULL.


rad_recv: Access-Request packet from host 192.168.0.251:1024, id=61,
length=60
User-Name = "60:07:93"
NAS-IP-Address = 192.168.0.251
NAS-Port = 1
User-Password = "buywavc"

users: Matched entry DEFAULT at line 18
users: Matched entry DEFAULT at line 21



DEFAULT NAS-IP-Address == "192.168.0.251", NAS-Identifier := "LAB_CCU"
Fall-Through = Yes

DEFAULT User-Name =~ "^6[0-9a-f]:[0-9a-f]\{2}:[0-9a-f]\{2}$", Post-Auth-Type
:= "waverider"



 sql: postauth_query = "update wireless_data set tower = '%{NAS-Identifier}'
where serial = 'E' + substring('%{User-Name}',2,1) +
substring('%{User-Name}',4,2) + substring('%{User-Name}',7,2)"



Login OK: [60:07:93] (from client LAB_CCU port 1)
  Found Post-Auth-Type waverider
  Processing the post-auth section of radiusd.conf
modcall: entering group waverider for request 0
rlm_sql (waverider): Processing sql_postauth
radius_xlat:  '60:07:93'
rlm_sql (waverider): sql_set_user escaped user --> '60:07:93'
radius_xlat:  'update wireless_data set tower = '' where serial = 'E' +
substring('60:07:93',2,1) + substring('60:07:93',4,2) +
substring('60:07:93',7,2)'
rlm_sql (waverider) in sql_postauth: query is update wireless_data set tower
= '' where serial = 'E' + substring('60:07:93',2,1) +
substring('60:07:93',4,2) + substring('60:07:93',7,2)
rlm_sql (waverider): Reserving sql socket id: 9
rlm_sql (waverider): Released sql socket id: 9
  modcall[post-auth]: module "waverider" returns ok for request 0
modcall: leaving group waverider (returns ok) for request 0
Sending Access-Accept of id 61 to 63.252.229.251 port 1024
Waverider-Grade-Of-Service = silver
Waverider-Priority-Enabled = disabled


Thanks,
Duane Cox

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Accounting error

2006-07-28 Thread Alan DeKok 
"Elie Hani" <[EMAIL PROTECTED]> wrote:
> I have this error in the log file:
>
> rlm_sql: packet has no account status type.  [user '', nas x.x.x.x]
...
> Any idea?

  The NAS is broken, and sending accounting packets that don't follow
the RFC's.

  I note also that you were careful to NOT show the contents of that packet.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius + OpenLDAP - user password problem

2006-07-28 Thread Alan DeKok 
Stuckzor <[EMAIL PROTECTED]> wrote:
> Hello, as you can see, i must be pretty desperate to register somewhere so i
> can ask for help. Anyway, the situation is: i recently set up a freeradius
> server with openldap for auth., everything seemed to work great  (radtest
> returns access-accept ), until i tried to login via notebook and Linksys
> router (with dd-wrt firmware).

  The debug log you posted hows that you set "Auth-Type := LDAP".

  Don't do that.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: sql_set_user escaped user " HELP"

2006-07-28 Thread Alan DeKok 
"ravi reddy" <[EMAIL PROTECTED]> wrote:
> So , how can I set the FreeRadius server so that it logs for one call only
> one record?.

  You fix the NAS to send only one record for one call.  The server
does not control how many records are sent for one call.  The NAS does.

  Or, you write a custom processing script for accounting records.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Accounting error

2006-07-28 Thread Elie Hani 








 

Hi;

 

I have this error in the log file:

 

rlm_sql: packet has no account status type.  [user '',
nas x.x.x.x]

Error: rlm_unix: no Accounting-Status-Type attribute in
request.

Error: rlm_radutmp: No Accounting-Status-Type record.

 

I am using postgreSql Database.

 

Any idea?

 

Thanks

Elie Hani






- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

(no subject)

2006-07-28 Thread Elie Hani 








Hi;

 

I have this error in the log file:

 

rlm_sql: packet has no account status type.  [user '', nas x.x.x.x]

Error: rlm_unix: no Accounting-Status-Type attribute in
request.

Error: rlm_radutmp: No Accounting-Status-Type record.

 

I am using postgreSql Database.

 

Any idea?

 

Thanks

Elie Hani






- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

AW: Freeradius + OpenLDAP - user password problem

2006-07-28 Thread Christian Poessinger 
[EMAIL PROTECTED]
wrote: 
> And here is the example of sucessful logon with radtest:
> 
> radtest bbb badblueboy 192.168.1.129 1 testing123
> 
> 
> rad_recv: Access-Request packet from host 192.168.1.129:35640, id=191,
> length=55
> User-Name = "bbb"
> User-Password = "badblueboy"
> NAS-IP-Address = 255.255.255.255
> NAS-Port = 1
>   Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 5
>   modcall[authorize]: module "preprocess" returns ok for request 5
>   modcall[authorize]: module "mschap" returns noop for request 5
> rlm_realm: No '@' in User-Name = "bbb", looking up realm NULL
> rlm_realm: No such realm "NULL"
>   modcall[authorize]: module "suffix" returns noop for request 5
> users: Matched entry DEFAULT at line 1
> users: Matched entry DEFAULT at line 156
>   modcall[authorize]: module "files" returns ok for request 5
> modcall: group authorize returns ok for request 5
>   rad_check_password:  Found Auth-Type LDAP
> auth: type "LDAP"
>   Processing the authenticate section of radiusd.conf
> modcall: entering group Auth-Type for request 5
> rlm_ldap: - authenticate
> rlm_ldap: login attempt by "bbb" with password "badblueboy"
> radius_xlat:  '(uid=bbb)'
> radius_xlat:  'ou=People,dc=BLah,dc=si'
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in ou=People,dc=BLah,dc=si, with filter
> (uid=bbb)
> rlm_ldap: ldap_release_conn: Release Id: 0
> rlm_ldap: user DN: uid=bbb,ou=People,dc=BLah,dc=si
> rlm_ldap: (re)connect to localhost:389, authentication 1
> rlm_ldap: bind as uid=bbb,ou=People,dc=kapion,dc=si/badblueboy to
> localhost:389
> rlm_ldap: waiting for bind result ...
> rlm_ldap: Bind was successful
> rlm_ldap: user bbb authenticated succesfully
>   modcall[authenticate]: module "ldap" returns ok for request 5
> modcall: group Auth-Type returns ok for request 5 Sending
> Access-Accept of id 191 to 192.168.1.129:35640 Finished request 5
> Going to the next request --- Walking the entire request list --- 
> Waking up in 6 seconds...
> --- Walking the entire request list ---
> Cleaning up request 5 ID 191 with timestamp 44c9f995 Nothing to do. 
> Sleeping until we see a request. 


You took a look at the ldap.attrmap file?

Add those two lines:

checkItem   User-Password   userPassword
checkItem   userPasswordlmPassword


-CP


smime.p7s
Description: S/MIME cryptographic signature
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP doest work with Cisco Catalyst 2950?

2006-07-28 Thread Thai Duong 
> --- James J J Hooper <[EMAIL PROTECTED]>
> wrote:
> 
> > Hi,
> >   We had similar problems. An example of what we
> put
> > in the switch config 
> > to get it to work is here:
> >
>

> > 
> > ... as Josh said - pay particular attention to the
> > dot1x & radius server 
> > timeout settings - we found the cisco defaults be
> be
> > generally broken.
> > 
> > Regards,
> >   James

Attachment is the Ethereal's dump file on the client
side. There are five message (>> means traffic from
switch to client and vice versa)

>> eap request identity
<< eap response identity
>> eap request eap-tls (rfc2716) [aboba]
<< tls client hello
>> eap unknown code (0x30)

It seems that the switch (Catalyst 2950 with IOS
version 12.1(6)EA2c) didnt understand that "Client
Hello" packet from the client so it returned something
like "unknown code (0x30)". In fact this "Client
Hello" never reached the server. 

Here is my switch dot1x configuration:

Global 802.1X Parameters
reauth-enabled   yes
reauth-period   3600
quiet-period  60
tx-period 30
supp-timeout  30
server-timeout30
reauth-max 2
max-req2

802.1X Port Summary
Port NameStatus  Mode 
  Authorized
Fa0/1disabledn/a  
  n/a
Fa0/2enabled Auto (negotiate) 
  no
Fa0/3enabled Auto (negotiate) 
  no

aaa new-model
aaa authentication dot1x default group radius
radius-server host 192.168.2.8 auth-port 1812
acct-port 1813 key 
radius-server retransmit 3
radius-server timeout 10
radius-server deadtime 2
radius-server vsa send authentication

Why the switch doesnt understand that Client Hello TLS
packet? What should I do now? I installed freeradius
into another server, create the certificates from
scratch but still NO LUCK. Please advise.

Regards,

Thai Duong 

__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

client.dump
Description: 2907206978-client.dump
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

ippool error

2006-07-28 Thread Giuseppina Venezia 
Hi,I have this error, when i client log in:Fri Jul 28 12:49:55 2006 : Debug:   Processing the post-auth section of radiusd.confFri Jul 28 12:49:55 2006 : Debug: modcall: entering group post-auth for request 0
Fri Jul 28 12:49:55 2006 : Debug:   modsingle[post-auth]: calling professori (rlm_ippool) for request 0Fri Jul 28 12:49:55 2006 : Debug: rlm_ippool: Could not find Pool-Name attribute.Fri Jul 28 12:49:55 2006 : Debug:   modsingle[post-auth]: returned from professori (rlm_ippool) for request 0
Fri Jul 28 12:49:55 2006 : Debug:   modcall[post-auth]: module "professori" returns noop for request 0Fri Jul 28 12:49:55 2006 : Debug:   modsingle[post-auth]: calling studenti (rlm_ippool) for request 0
Fri Jul 28 12:49:55 2006 : Debug: rlm_ippool: Could not find Pool-Name attribute.Fri Jul 28 12:49:55 2006 : Debug:   modsingle[post-auth]: returned from studenti (rlm_ippool) for request 0Fri Jul 28 12:49:55 2006 : Debug:   modcall[post-auth]: module "studenti" returns noop for request 0
Fri Jul 28 12:49:55 2006 : Debug: modcall: leaving group post-auth (returns noop) for request 0CONFIG:radius.conf ippool professori {           range-start = 
192.168.182.2    range-stop = 192.168.182.50    netmask = 255.255.255.0    cache-size = 800    session-db = ${raddbdir}/db.ippool
    ip-index = ${raddbdir}/db.ipindex    } ippool studenti { range-start = 192.168.182.129 range-stop = 
192.168.182.254 netmask = 255.255.255.0    cache-size = 800 session-db = ${raddbdir}/db.ippool ip-index = ${raddbdir}/db.ipindex
  }post-auth {    professori    studenti     }usersDEFAULT Service-Type == Framed-User, Huntgroup-Name == "professori", User-Profile:="employeeType=professor", Pool-Name := "professori"
Fall-Through = YesDEFAULT Service-Type == Framed-User, Huntgroup-Name == "studenti", User-Profile:="employeeType=student", Pool-Name := "studentii"Fall-Through = Yeshuntgroups
professori  NAS-IP-Address == 192.168.182.1studenti    NAS-IP-Address == 192.168.182.1Thanks in advance, Giusy

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Freeradius + OpenLDAP - user password problem

2006-07-28 Thread Stuckzor 

Hello, as you can see, i must be pretty desperate to register somewhere so i
can ask for help. Anyway, the situation is: i recently set up a freeradius
server with openldap for auth., everything seemed to work great  (radtest
returns access-accept ), until i tried to login via notebook and Linksys
router (with dd-wrt firmware).
Linksys is properly configured, i believe. On laptop i have chosen WPA 2
security using ms-chap, and when i try to connect, access-request packet
doesn't contain attribute user-password! I am really stuck here, have no
idea what to do so any help would be really apprechiated. If you need
additional info i will be glad to asisst (e.g. post debug output or
something).
-- 
View this message in context: 
http://www.nabble.com/Freeradius-%2B-OpenLDAP---user-password-problem-tf2014904.html#a5537868
Sent from the FreeRadius - User forum at Nabble.com.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius + OpenLDAP - user password problem

2006-07-28 Thread Stuckzor 

And here is the example of sucessful logon with radtest:

radtest bbb badblueboy 192.168.1.129 1 testing123


rad_recv: Access-Request packet from host 192.168.1.129:35640, id=191,
length=55
User-Name = "bbb"
User-Password = "badblueboy"
NAS-IP-Address = 255.255.255.255
NAS-Port = 1
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 5
  modcall[authorize]: module "preprocess" returns ok for request 5
  modcall[authorize]: module "mschap" returns noop for request 5
rlm_realm: No '@' in User-Name = "bbb", looking up realm NULL
rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 5
users: Matched entry DEFAULT at line 1
users: Matched entry DEFAULT at line 156
  modcall[authorize]: module "files" returns ok for request 5
modcall: group authorize returns ok for request 5
  rad_check_password:  Found Auth-Type LDAP
auth: type "LDAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 5
rlm_ldap: - authenticate
rlm_ldap: login attempt by "bbb" with password "badblueboy"
radius_xlat:  '(uid=bbb)'
radius_xlat:  'ou=People,dc=BLah,dc=si'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=People,dc=BLah,dc=si, with filter
(uid=bbb)
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: user DN: uid=bbb,ou=People,dc=BLah,dc=si
rlm_ldap: (re)connect to localhost:389, authentication 1
rlm_ldap: bind as uid=bbb,ou=People,dc=kapion,dc=si/badblueboy to
localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: user bbb authenticated succesfully
  modcall[authenticate]: module "ldap" returns ok for request 5
modcall: group Auth-Type returns ok for request 5
Sending Access-Accept of id 191 to 192.168.1.129:35640
Finished request 5
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 5 ID 191 with timestamp 44c9f995
Nothing to do.  Sleeping until we see a request.

-- 
View this message in context: 
http://www.nabble.com/Freeradius-%2B-OpenLDAP---user-password-problem-tf2014904.html#a5538165
Sent from the FreeRadius - User forum at Nabble.com.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius + OpenLDAP - user password problem

2006-07-28 Thread Stuckzor 

OK, i guess, i should paste that anyway, so here it is, hope it helps:

rad_recv: Access-Request packet from host 192.168.1.1:2051, id=0, length=121
User-Name = "root"
NAS-IP-Address = 192.168.1.1
Called-Station-Id = "0016b6016815"
Calling-Station-Id = "00130237d9db"
NAS-Identifier = "0016b6016815"
NAS-Port = 53
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020901726f6f74
Message-Authenticator = 0x4ec4b4b08fe410e47f6c233f47b4dbb0
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 3
  modcall[authorize]: module "preprocess" returns ok for request 3
  modcall[authorize]: module "mschap" returns noop for request 3
rlm_realm: No '@' in User-Name = "root", looking up realm NULL
rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 3
users: Matched entry DEFAULT at line 1
users: Matched entry DEFAULT at line 156
  modcall[authorize]: module "files" returns ok for request 3
modcall: group authorize returns ok for request 3
  rad_check_password:  Found Auth-Type LDAP
auth: type "LDAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 3
rlm_ldap: - authenticate
rlm_ldap: Attribute "User-Password" is required for authentication.
  modcall[authenticate]: module "ldap" returns invalid for request 3
modcall: group Auth-Type returns invalid for request 3
auth: Failed to validate the user.
Delaying request 3 for 1 seconds
Finished request 3
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 0 to 192.168.1.1:2051
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 3 ID 0 with timestamp 44c9f898
Nothing to do.  Sleeping until we see a request.

###
-- 
View this message in context: 
http://www.nabble.com/Freeradius-%2B-OpenLDAP---user-password-problem-tf2014904.html#a5538103
Sent from the FreeRadius - User forum at Nabble.com.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

sql_set_user escaped user " HELP"

2006-07-28 Thread ravi reddy 
Hi Users
  
 I have been using
FreeRadius-1.1.2 with Mysql database  For accounting purpose
only  with combination of Sip-Express-Router

So, here what's my problem is some accounting details are very fair but
some are getting very rough data :- that means when call starts it logs
like 4 to 5 records with starting time and when call stops it again
logs in 5 to 6 records with acct stop time .

  
For this reason "just for one call it is almost writing up to 10
Records and my database Engine is becoming very slow"

So , how can I set the FreeRadius server so that it logs for one call only one record?.

 Below are some points i noticed 

 "jack" calls "Billy"

here radius server is setting records as 
sql_set_user escaped user---> jack

when account starts and writing to database 

when acct stops

sql_set_user escaped user-> jack  "
here in this style i am getting only one record for one call"

sql_set_user escaped user-->Billy   " if its like this
when act stops iam almost gettings 10 records for one call"

SO, HOW I CAN SET THE SQL.CONF SO THAT , THE FREERADIUS SERVER BY
DEFAULT IT HAS TO TAKE ONLY CALLED PERSON AS "sql_set_user escaped user
" 

   Please Help me Guys.


Thank You.

Regards,
Ravi.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP doest work with Cisco Catalyst 2950?

2006-07-28 Thread Thai Duong 
--- Thai Duong <[EMAIL PROTECTED]> wrote:

> 
> Attachment is the debug log of freeradius, please
> take
> a look at it. It's been two weeks and I still can
> not
> make this work. Deadline is comming, please help.
> 
> Regards,
> 
> Thai Duong.

Sorry forgot to attach the debug log.

__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com Starting - reading configuration files ...
reread_config:  reading radiusd.conf
Config:   including file: /usr/local/freeradius/etc/raddb/proxy.conf
Config:   including file: /usr/local/freeradius/etc/raddb/clients.conf
Config:   including file: /usr/local/freeradius/etc/raddb/snmp.conf
Config:   including file: /usr/local/freeradius/etc/raddb/eap.conf
Config:   including file: /usr/local/freeradius/etc/raddb/sql.conf
 main: prefix = "/usr/local/freeradius"
 main: localstatedir = "/usr/local/freeradius/var"
 main: logdir = "/usr/local/freeradius/var/log/radius"
 main: libdir = "/usr/local/freeradius/lib"
 main: radacctdir = "/usr/local/freeradius/var/log/radius/radacct"
 main: hostname_lookups = no
 main: max_request_time = 30
 main: cleanup_delay = 5
 main: max_requests = 1024
 main: delete_blocked_requests = 0
 main: port = 0
 main: allow_core_dumps = no
 main: log_stripped_names = no
 main: log_file = "/usr/local/freeradius/var/log/radius/radius.log"
 main: log_auth = no
 main: log_auth_badpass = no
 main: log_auth_goodpass = no
 main: pidfile = "/usr/local/freeradius/var/run/radiusd/radiusd.pid"
 main: user = "radiusd"
 main: group = "radiusd"
 main: usercollide = no
 main: lower_user = "no"
 main: lower_pass = "no"
 main: nospace_user = "no"
 main: nospace_pass = "no"
 main: checkrad = "/usr/local/freeradius/sbin/checkrad"
 main: proxy_requests = yes
 proxy: retry_delay = 5
 proxy: retry_count = 3
 proxy: synchronous = no
 proxy: default_fallback = yes
 proxy: dead_time = 120
 proxy: post_proxy_authorize = no
 proxy: wake_all_if_all_dead = no
 security: max_attributes = 200
 security: reject_delay = 1
 security: status_server = no
 main: debug_level = 0
read_config_files:  reading dictionary
read_config_files:  reading naslist
Using deprecated naslist file.  Support for this will go away soon.
read_config_files:  reading clients
read_config_files:  reading realms
radiusd:  entering modules setup
Module: Library search path is /usr/local/freeradius/lib
Module: Loaded exec 
 exec: wait = yes
 exec: program = "(null)"
 exec: input_pairs = "request"
 exec: output_pairs = "(null)"
 exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec) 
Module: Loaded expr 
Module: Instantiated expr (expr) 
Module: Loaded PAP 
 pap: encryption_scheme = "crypt"
Module: Instantiated pap (pap) 
Module: Loaded CHAP 
Module: Instantiated chap (chap) 
Module: Loaded MS-CHAP 
 mschap: use_mppe = yes
 mschap: require_encryption = no
 mschap: require_strong = no
 mschap: with_ntdomain_hack = no
 mschap: passwd = "(null)"
 mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap) 
Module: Loaded System 
 unix: cache = no
 unix: passwd = "(null)"
 unix: shadow = "(null)"
 unix: group = "(null)"
 unix: radwtmp = "/usr/local/freeradius/var/log/radius/radwtmp"
 unix: usegroup = no
 unix: cache_reload = 600
Module: Instantiated unix (unix) 
Module: Loaded eap 
 eap: default_eap_type = "tls"
 eap: timer_expire = 60
 eap: ignore_unknown_eap_types = no
 eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
 gtc: challenge = "Password: "
 gtc: auth_type = "PAP"
rlm_eap: Loaded and initialized type gtc
 tls: rsa_key_exchange = no
 tls: dh_key_exchange = yes
 tls: rsa_key_length = 512
 tls: dh_key_length = 512
 tls: verify_depth = 0
 tls: CA_path = "(null)"
 tls: pem_file_type = yes
 tls: private_key_file = "/usr/local/freeradius/etc/raddb/certs/server_keycert.pem"
 tls: certificate_file = "/usr/local/freeradius/etc/raddb/certs/server_keycert.pem"
 tls: CA_file = "/usr/local/freeradius/etc/raddb/certs/cacert.pem"
 tls: private_key_password = ""
 tls: dh_file = "/usr/local/freeradius/etc/raddb/certs/dh"
 tls: random_file = "/usr/local/freeradius/etc/raddb/certs/random"
 tls: fragment_size = 1024
 tls: include_length = yes
 tls: check_crl = no
 tls: check_cert_cn = "(null)"
 tls: cipher_list = "(null)"
 tls: check_cert_issuer = "(null)"
rlm_eap_tls: Loading the certificate file as a chain
rlm_eap: Loaded and initialized type tls
 mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap) 
Module: Loaded preprocess 
 preprocess: huntgroups = "/usr/local/freeradius/etc/raddb/huntgroups"
 preprocess: hints = "/usr/local/freeradius/etc/raddb/hints"
 preprocess: with_ascend_hack = no
 preprocess: ascend_channels_per_line = 23
 preprocess: with_ntdomain_hack = no
 preprocess: with_specialix_jetstream_hack = no
 preproces

Re: EAP doest work with Cisco Catalyst 2950?

2006-07-28 Thread James J J Hooper 



--On Friday, July 28, 2006 02:36:42 -0700 Thai Duong <[EMAIL PROTECTED]> 
wrote:





--- James J J Hooper <[EMAIL PROTECTED]> wrote:


Hi,
  We had similar problems. An example of what we put
in the switch config
to get it to work is here:





... as Josh said - pay particular attention to the
dot1x & radius server
timeout settings - we found the cisco defaults be be
generally broken.

Regards,
  James


More about the debug log on the switch: I just got
something like this:

06:15:31: RADIUS: Initial Transmit FastEthernet0/2 id
33 192.168.22.180:1812, Access-Request, len 212
06:15:31: Attribute 4 6 C0A81617
06:15:31: Attribute 5 6 C352
06:15:31: Attribute 26 23 000902114661
06:15:31: Attribute 61 6 000F
06:15:31: Attribute 1 8 74686169
06:15:31: Attribute 31 19 30302D30
06:15:31: Attribute 6 6 0002
06:15:31: Attribute 24 18 698927AB
06:15:31: Attribute 79 82 02710050
06:15:31: Attribute 80 18 DC8C131A
06:15:31: RADIUS: Received from id 33
192.168.22.180:1812, Access-Challenge, len 1100
06:15:31: Attribute 79 255 0172040A
06:15:31: Attribute 79 255 30373237
06:15:31: Attribute 79 255 0421C4B1
06:15:31: Attribute 79 255 092A8648
06:15:31: Attribute 79 24 6F6F7420
06:15:31: Attribute 80 18 BD53CEE9
06:15:31: Attribute 24 18 C35A3205

That's it. A access-request followed by a
access-challenge. Nothing more. Please help.



Could you post a 'show run' of your switch please. (obfuscate any passwords 
or secrets)


Regards,
 James

--
James J J Hooper,
Information Services
University of Bristol
--
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP doest work with Cisco Catalyst 2950?

2006-07-28 Thread Thai Duong 


--- James J J Hooper <[EMAIL PROTECTED]> wrote:

> Hi,
>   We had similar problems. An example of what we put
> in the switch config 
> to get it to work is here:
>

> 
> ... as Josh said - pay particular attention to the
> dot1x & radius server 
> timeout settings - we found the cisco defaults be be
> generally broken.
> 
> Regards,
>   James

More about the debug log on the switch: I just got
something like this:

06:15:31: RADIUS: Initial Transmit FastEthernet0/2 id
33 192.168.22.180:1812, Access-Request, len 212
06:15:31: Attribute 4 6 C0A81617
06:15:31: Attribute 5 6 C352
06:15:31: Attribute 26 23 000902114661
06:15:31: Attribute 61 6 000F
06:15:31: Attribute 1 8 74686169
06:15:31: Attribute 31 19 30302D30
06:15:31: Attribute 6 6 0002
06:15:31: Attribute 24 18 698927AB
06:15:31: Attribute 79 82 02710050
06:15:31: Attribute 80 18 DC8C131A
06:15:31: RADIUS: Received from id 33
192.168.22.180:1812, Access-Challenge, len 1100
06:15:31: Attribute 79 255 0172040A
06:15:31: Attribute 79 255 30373237
06:15:31: Attribute 79 255 0421C4B1 
06:15:31: Attribute 79 255 092A8648
06:15:31: Attribute 79 24 6F6F7420
06:15:31: Attribute 80 18 BD53CEE9
06:15:31: Attribute 24 18 C35A3205

That's it. A access-request followed by a
access-challenge. Nothing more. Please help.

Thai Duong


__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP doest work with Cisco Catalyst 2950?

2006-07-28 Thread Thai Duong 


--- James J J Hooper <[EMAIL PROTECTED]> wrote:

> Hi,
>   We had similar problems. An example of what we put
> in the switch config 
> to get it to work is here:
>

> 
> ... as Josh said - pay particular attention to the
> dot1x & radius server 
> timeout settings - we found the cisco defaults be be
> generally broken.
> 
> Regards,
>   James

Hi James, I follow your guide but still no lucks. It
seems that the problem remains in the server or client
side settings not in the switch. I always get
something like:

rlm_eap_tls:  Length Included
  eaptls_verify returned 11
(other): before/accept initialization
TLS_accept: before/accept initialization
  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041],
ClientHello
TLS_accept: SSLv3 read client hello A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a],
ServerHello
TLS_accept: SSLv3 write server hello A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 05a8],
Certificate
TLS_accept: SSLv3 write certificate A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 0080],
CertificateRequest
TLS_accept: SSLv3 write certificate request A
TLS_accept: SSLv3 flush data
TLS_accept:error in SSLv3 read client certificate
A
rlm_eap: SSL error
error::lib(0):func(0):reason(0)
In SSL Handshake Phase
In SSL Accept mode
  eaptls_process returned 13
  modcall[authenticate]: module "eap" returns handled
for request 3
modcall: leaving group authenticate (returns handled)
for request 3

WTF is rlm_eap: SSL error
error::lib(0):func(0):reason(0)?

Attachment is the debug log of freeradius, please take
a look at it. It's been two weeks and I still can not
make this work. Deadline is comming, please help.

Regards,

Thai Duong.


__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to handle non digest messeg if Auth-Type is set to Digest?

2006-07-28 Thread biuro 

You are absolutly right :) Today in the mornign we set Auth-Type exactly the
same way as you propose :) Now it works.

Thanx

Quoting Phil Mayers <[EMAIL PROTECTED]>:


GlobeInPhotos wrote:


I've commented line in users file

#DEFAULT Auth-Type := Digest


Finally.

That line? That *was* you setting Auth-Type to Digest.



But now I've got following message if non-digest message arrive:

rad_recv: Access-Request packet from host 153.19.130.250:46963, id=190,
length=80
User-Name = "[EMAIL PROTECTED]"
Service-Type = SIP-Callee-AVPs
NAS-Port = 0
NAS-IP-Address = 153.19.130.250

[cut]

auth: type Local
auth: No User-Password or CHAP-Password attribute in the request


Ok, so for these non-digest requests, you'll have to configure the 
server to authenticate them without a password being present. This is 
one of those rare cases where you *do* set auth-type.


So, something like in radiusd.conf:

authorize {
  preprocess
  # digest will set Auth-Type=Digest IF AND ONLY IF this
  # request is a real digest one
  digest
  files
  # maybe other modules
}

...and in "users":

# Since the Auth-Type = Accept is a conditional set, this
# entry will NOT MATCH if the "digest" module has already
# set Auth-Type=Digest
#
# Therefore, it should only match your "special" requests
DEFAULT Service-Type==SIP-Callee-AVPs, Auth-Type = Accept
VoIP-Attribute-1 = value1,
Other-Attribute = otherval

That is: If a request comes in with Service-Type == SIP-Callee-AVPs, 
then set Auth-Type to accept IF AND ONLY IF it isn't already set (= 
is conditional set; := which you were using earlier is unconditional 
set - see "man users"). Then set some attributes on the reply.


You didn't show one of your other (the "real" digest) requests so I 
can't be sure what they look like, but something like the above 
should work.
- List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html






- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Assignment of range of IP to a specific VLAN

2006-07-28 Thread Phil Mayers 

radhika putty wrote:

Hi all
 
Is there any way that the Radius server could instruct the Acess Point 
to assign a range of IP Adresses for a specific VLAN. Or this 
coniguration needs to be done in the Acess Point itself. I couldnt find 
any option to do this in the Acess Point. btw I use Proxim4000. Pls 
throw some light on this


Wireless clients on 802.1x networks use DHCP to get IPs. Radius is not 
involved.


You can on some APs put the client into a different VLAN using radius 
attributes in the reply, and configure the DHCP server to hand different 
IPs out. Consult your AP documentation for details, but typically if the 
AP uses the "standard" way of doing it:


user1   User-Password := "something"
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-Id = "123"
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Error: Discarding duplicate request

2006-07-28 Thread Phil Mayers 

Aleksandar Stojilkovic wrote:
 


Aleksandar Stojilkovic wrote:

 Hello,

 


My log is full of this kind of errors:

 

Wed Jul 26 02:55:54 2006 : Error: Discarding duplicate request from 
client APMajur:2048 - ID: 27 due to unfinished request 11$

Don't post to the list in HTML. Awful HTML at that...

This is normally caused by a slowly-responding database (e.g. 
SQL, LDAP) or upstream proxy server. Make "the thing" respond 
quicker. Without more details as to your configuration, we 
can only guess, but maybe indices on key SQL tables and/or 
optimising the queries?

-


Thanks. I suspected so I increased the timeout between requests on my NASes
from 200ms to 600ms. Everything worked fine for 3 days and then again the
same...


That won't solve the problem, and I'm not surprised it came back. You 
need to speed the backend up, not have the radius server wait longer.




Which computer configuration is recommended for my needs: Freeradius with
Mysql for about 1000 users that connects to network using wireless
connections?


Any reasonably modern computer e.g. ~1.6GHz >512Mb ram, reasonably fast 
disks to support the database, should be able to handle that load. It's 
likely a slowdown on the MySQL side.


Some possibilities:

 1. Are all your queries on tables which are indexed properly?
 2. Are you periodically emptying or archiving old data from the 
accounting table? Because if not, the time to insert accounting entries 
will just go up and up as the table grows.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to handle non digest messeg if Auth-Type is set to Digest?

2006-07-28 Thread Phil Mayers 

GlobeInPhotos wrote:


I've commented line in users file

#DEFAULT Auth-Type := Digest


Finally.

That line? That *was* you setting Auth-Type to Digest.



But now I've got following message if non-digest message arrive:

rad_recv: Access-Request packet from host 153.19.130.250:46963, id=190,
length=80
User-Name = "[EMAIL PROTECTED]"
Service-Type = SIP-Callee-AVPs
NAS-Port = 0
NAS-IP-Address = 153.19.130.250

[cut]

auth: type Local
auth: No User-Password or CHAP-Password attribute in the request


Ok, so for these non-digest requests, you'll have to configure the 
server to authenticate them without a password being present. This is 
one of those rare cases where you *do* set auth-type.


So, something like in radiusd.conf:

authorize {
  preprocess
  # digest will set Auth-Type=Digest IF AND ONLY IF this
  # request is a real digest one
  digest
  files
  # maybe other modules
}

...and in "users":

# Since the Auth-Type = Accept is a conditional set, this
# entry will NOT MATCH if the "digest" module has already
# set Auth-Type=Digest
#
# Therefore, it should only match your "special" requests
DEFAULT Service-Type==SIP-Callee-AVPs, Auth-Type = Accept
VoIP-Attribute-1 = value1,
Other-Attribute = otherval

That is: If a request comes in with Service-Type == SIP-Callee-AVPs, 
then set Auth-Type to accept IF AND ONLY IF it isn't already set (= is 
conditional set; := which you were using earlier is unconditional set - 
see "man users"). Then set some attributes on the reply.


You didn't show one of your other (the "real" digest) requests so I 
can't be sure what they look like, but something like the above should work.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Assignment of range of IP to a specific VLAN

2006-07-28 Thread radhika putty 
Hi all     Is there any way that the Radius server could instruct the Acess Point to assign a range of IP Adresses for a specific VLAN. Or this coniguration needs to be done in the Acess Point itself. I couldnt find any option to do this in the Acess Point. btw I use Proxim4000. Pls throw some light on this     Thanks  Radhika 
	
		See the all-new, redesigned Yahoo.com.  Check it out.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html